BLOOMINGTON, Ind. -- The National Institutes of Health (NIH) has awarded $538,595 to the Center for Applied Cybersecurity Research to support a two-year project titled "Protecting Privacy in Health Research." The IU-led project assembles a blue-ribbon panel of experts in medical research, privacy, security, law, ethics, and patient advocacy from eleven national and international partner organizations.

The Center for Applied Cybersecurity Research (CACR) is part of the Pervasive Technology Institute at Indiana University. Funds for the grant award were made available through the NIH as part of the American Recovery and Reinvestment Act of 2009.

Panel members will work collaboratively to develop new approaches to protecting the privacy and security of personal data used in health research, while striving to reduce the challenges imposed upon that research by current laws. The group specifically intends to address the Health Insurance Portability and Accountability Act's (HIPAA) "Privacy Rule," which they contend falls short of adequately protecting privacy, yet impedes medical research by placing unreasonable burdens upon life scientists.

The grant proposal was crafted in response to a February 2009 report by the Institute of Medicine (IOM) Committee on Health Research and the Privacy of Health Information which stated "first and foremost" that Congress should authorize Health and Human Services (HHS) to develop "a new approach in protecting privacy in health research" that would "exempt health research from the HIPAA Privacy Rule." The IOM committee crafted a broad outline of recommendations, and the NIH is now soliciting, through this grant program, input from medical security experts and scholars in order to complete a more detailed set of recommendations.

"Through this panel, we aim to develop a specific proposal for a new approach to privacy in health research that could serve as the basis for regulation or legislation and a proposed resolution to the five sets of issues raised by the IOM committee's work," said Fred Cate, director of the CACR and Distinguished Professor and C. Ben Dutton Professor of Law at the Maurer School of Law. "Eventually that will require removing inappropriate and inconsistent privacy regulations and substituting in their place a more rational, ethical privacy approach to privacy regulation than that reflected in HIPPA."

In accordance with the IOM's outline, the IU project proposes three primary deliverables: a more fully developed version of the IOM's primary recommendation -- a new approach that would enhance both privacy and research by moving away from HIPAA's reliance on narrow, bureaucratic measures; a written, legislative history that would summarize the existing research, highlight the key policy choices, and identify why the panel made the specific recommendations that it did; and a process of socialization of the IOM committee's recommendation and the panel's further development of it that is free from lobbying or outside influence.

Panelists will convene several times over the next 18 months with the goal of submitting their recommendations by May 2011.

"This is a very tight and ambitious timeline, but it reflects both the urgency of the need and the scope of the project, which is to develop and justify specific, practical proposals addressing each of the issues raised by the IOM committee," Cate said.

The project team is also working to achieve two broader goals: improve the quality and lower the cost of health research; and improve the privacy protection for individuals' personal information used in health research.

"Anything we do to streamline and improve the process of data security in medical research will help to reduce the length of projects and lower the cost of that research," said Cate. "Reducing the cost of medical research is a serious national challenge and we are pleased to be contributing to one part of the solution."

In addition to Cate, the panel will include:

• Marc Boutin, executive vice president and chief operating officer of the National Health Council

• Arthur L. Caplan, PhD, FAAS, is Emanuel & Robert Hart Professor of Bioethics and director of the Center for Bioethics at the University of Pennsylvania

• Barbara J. Evans, a law professor, co-director of the Health Law & Policy Institute, and director of the Center on Biotechnology & Law at the University of Houston Law Center;

• Sandra J. Horning, a professor of medicine/oncology at the Stanford School of Medicine;

• Bernard Lo, a professor of medicine and director of the Program in Medical Ethics at the University of California-San Francisco;

• Bradley Malin, an assistant professor in the Department of Biomedical Informatics in the School of Medicine and director of the Health Information Privacy Lab at Vanderbilt University;

• Paul M. Schwartz, a professor of law at the University of California, Berkeley School of Law, and director of the Berkeley Center for Law & Technology;

• Richard Thomas, the Information Commissioner of the United Kingdom; and

• Clyde W. Yancy, medical director of the Baylor Heart and Vascular Institute and chief of Cardiothoracic Transplantation at Baylor University Medical Center.

Federal investments in healthcare privacy align with several areas of work in Indiana that are being coordinated by BioCrossroads.

About Pervasive Technology Institute and the Center for Applied Cybersecurity Research

Pervasive Technology Institute (PTI) at Indiana University is a world-class organization dedicated to the development and delivery of innovative information technology to advance research, education, industry, and society. Supported in part by a $15 million grant from the Lilly Endowment, Inc., PTI is built upon a spirit of collaboration and brings together researchers and technologists from a range of disciplines and organizations, including the IU Bloomington School of Informatics and Computing, the Maurer School of Law, and University Information Technology Services at Indiana University. The Center for Applied Cybersecurity Research is led by Dr. Fred Cate, Distinguished Professor and C. Ben Dutton Professor of Law at the Maurer School of Law. Founded in 2002, the Center works to enhance the security and integrity of information systems, technologies, and content. CACR facilitates research and education informed by, and integrated with, the practice of information assurance. The Center incorporates the extensive practical experience in cybersecurity of Indiana University's operational units, including the Information Technology Security and Policy Offices, the Advanced Network Management Lab, the Research and Education Information Sharing and Analysis Center, and the Network Operations Center for Internet2.